NetBSD Problem Report #53512
From www@NetBSD.org Sat Aug 11 13:50:10 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 432967A19B
for <gnats-bugs@gnats.NetBSD.org>; Sat, 11 Aug 2018 13:50:10 +0000 (UTC)
Message-Id: <20180811135008.CA1147A1D7@mollari.NetBSD.org>
Date: Sat, 11 Aug 2018 13:50:08 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: A dynamically configured which has not yet obtained an address can cause npf & npfd to fail
X-Send-Pr-Version: www-1.0
>Number: 53512
>Category: bin
>Synopsis: A dynamically configured which has not yet obtained an address can cause npf & npfd to fail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: maxv
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 11 13:55:00 +0000 2018
>Closed-Date: Tue Oct 30 13:58:55 +0000 2018
>Last-Modified: Tue Oct 30 13:58:55 +0000 2018
>Originator: Sevan Janiyan
>Release: NetBSD-8
>Organization:
>Environment:
NetBSD 8.0 macppc powerpc
>Description:
A rule which calls inet4() or inet6() to obtain address of an interface fails if an address has not been obtained by the time npf have been started by rc.d. This is a problem on a system where the interface is wireless and associating takes a while. The follow-on from this is npfd failing to start with "npfd: pcap_dump_open failed for `/var/log/npflog0.pcap': /var/log/npflog0.pcap: not-yet-activated pcap_t passed to pcap_dump_open"
>How-To-Repeat:
On a system with wifi interface which connects to a WPA protected network & configured via DHCP.
create the following /etc/npf.conf
# Derived from /usr/share/examples/npf/host-npf.conf
$wifi_if = "urtwn0"
$wifi_v4 = { inet4(urtwn0) }
$wifi_v6 = { inet6(urtwn0) }
$dhcpserver = { 198.51.100.1 }
# sample udp service
$services_udp = { ntp }
# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }
# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
log: npflog0
}
group "wifi" on $wifi_if {
# linklocal
pass in final family inet6 proto ipv6-icmp to fe80::/10
pass out final family inet6 proto ipv6-icmp from fe80::/10
# administrative multicasts
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
pass in final family inet6 proto ipv6-icmp to $wifi_v6
pass in final family inet4 proto icmp to $wifi_v4
pass in final family inet4 proto tcp \
from any port bootps to $wifi_v4 port bootpc
pass in final family inet4 proto udp \
from any port bootps to $wifi_v4 port bootpc
pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
pass in final family inet6 proto udp to $wifi_v6 port $services_udp
pass in final family inet4 proto udp to $wifi_v4 port $services_udp
# IPSEC
pass in final family inet6 proto udp to $wifi_v6 port isakmp
pass in final family inet4 proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
pass in family inet4 proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $wifi_v6
pass stateful out final family inet4 proto tcp flags S/SA \
from $wifi_v4
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $wifi_v6
pass out final family inet4 proto tcp from $wifi_v4
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $wifi_v6
pass stateful out final family inet4 from $wifi_v4
}
group default {
pass final on lo0 all
block all apply "log"
}
enable npf & npfd alongside wpa_supplicant & dhcpcd in /etc/rc.conf
wpa_supplicant=YES
wpa_supplicant_flags="-i urtwn0 -c /etc/wpa_supplicant.conf"
dhcpcd=YES
dhcpcd_flags="-b"
npf=YES
npfd=YES
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 03 Sep 2018 06:14:44 +0000
State-Changed-Why:
Use ifaddrs() instead of inet4()/inet6(). inetX are static, and can't work
in your case, see the latest npf.conf(5) man page. Can you try?
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/53512 (A dynamically configured which has not yet obtained an
address can cause npf & npfd to fail)
Date: Sat, 27 Oct 2018 15:40:16 +0100
On 9/3/18 7:14 AM, maxv@NetBSD.org wrote:
> Use ifaddrs() instead of inet4()/inet6(). inetX are static, and can't work
> in your case, see the latest npf.conf(5) man page. Can you try?
Thanks Maxime, that did the trick.
Sevan
Responsible-Changed-From-To: bin-bug-people->maxv
Responsible-Changed-By: sevan@NetBSD.org
Responsible-Changed-When: Tue, 30 Oct 2018 13:58:55 +0000
Responsible-Changed-Why:
Maxime was right
State-Changed-From-To: feedback->closed
State-Changed-By: sevan@NetBSD.org
State-Changed-When: Tue, 30 Oct 2018 13:58:55 +0000
State-Changed-Why:
Using ifaddrs() resolved the issue
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.